I am currently writing a paper on the future security challenges of Cloud Computing, and possible solutions to these problems. After many hours of reading articles on the internet (my nearby library have no books available at the moment about the subject) I have certainly learned a lot, but also gotten a lot more confused about what I actually want to include in my paper. Since the theme/area of Cloud Computing is so broad: from services offered to private people vs big businesses - which require different security according to use and data stored etc. But also all the different types that are offered: SaaS, PaaS and IaaS... Private vs hybrid vs public cloud.

My problem might be that I am not very heavy on the tech-knowledge - and many articles seems to either target possible cloud customers(very reassuring about the security of the service) vs posts written and probably targeted on people whom know a lot about this technology and security from before. And I would need something in between that:)

Some of the challenges that I have listed so far are:

Multitenancy & multi-instance architecture: several people/businesses storing their data or applications in the same place - keeping this separate

The possibility that the cloud provider may give access to their customers data to law enforcement institutions, the government etc. Challenge lies in trust, law, agreement between provider and customer..

More Data (possibly very private/confidential) in transit: network technology

Encryption: to effectively search through the data in the cloud this requires unencrypting it - which gives the cloud provider(and possible attackers or instances with ability to effect the provider) to access the data

Identity and access management: Some data should maybe be accessible to outsiders/customers/collaborateurs, while other data should stay confidential

Hypervisor security

Overall big issue: People/businesses no longer in charge of their own data, applications etc... Standard agreements, standards etc for the customer to know what to expect from the provider

So my questions are:

Any recommended articles/pages/blogs to read about the topic

Any important/interesting points I have not included here that might be worth to take a look at

Pages/research or available products that solve or hope to solve in the future any of these challenges

Of solutions I have found so far there is things as Dome9 for cloud firewall management, homomorphic encryption.. So any tips/keywords on this would be amazing!

This question came from our site for professional and enthusiast programmers.

1

This is very interesting topic. Unfortunately I don't think it is a good question for SO. Can you please contact me on e-mail tblachowicz (at) gmail.com? I'm looking for people interested in that topic to share ideas and discuss the challanges.
–
Tomasz BlachowiczDec 12 '11 at 13:22

You may want to add this link to your list of resources: aws.amazon.com/iam
–
Tomasz BlachowiczDec 12 '11 at 13:22

4 Answers
4

There's a wide range of issues that you could include in a cloud security paper. One that I've come across which I think will be the cause of a fair number of problems is the way in which security mis-configuration is exposed to the Internet, and therefore may have a higher likelihood of being exploited.

In a "traditional" network, there's limited visibility of security misconfiguration (eg, missing patches, access controls incorrectly configured, default credentials), and as such there's a lower likelihood of those issues being exploited. This isn't to say that those issues are "ok" in any way just that thy're somewhat hidden from general attackers.

Looking at cloud setups, in some cases a single misconfiguration can be catastrophic from a data security standpoint.

As an example look at companies using Amazon S3 as their main storage for their applications. If the S3 ACLs are done incorrectly it can be possible for people to access any data in that bucket. Also access is controlled by a static API key as well as a username/password pair. If either of those credentials is compromised, again all the data stored on that system is potentially at risk.

To me cloud computing further dissolves the perimeter of the enterprise (IT). I would try to assess what security technologies heavily rely on the presence of a perimeter an what technologies (e.g. DRM) do not assume a perimeter. I would then look to develop a data centric security concept where no perimeter is present.